Abstract. Repackaged malware and phishing malware consist 86% of all Android malware, and
they significantly affect the Android ecosystem. Previous work use disassembled
Dalvik bytecode and hashing approaches to detect repackaged malware, but these
approaches are vulnerable to obfuscation attacks and they demand large
computational resources on mobile devices. In this work, we propose a novel
methodology which uses the layout resources within an app to detect apps which
are "visually similar", a common characteristic in repackaged apps and
phishing malware. To detect visually similar apps, we design and implement
DroidEagle which consists of two sub-systems: RepoEagle and HostEagle. RepoEagle
is to perform large scale detection on apps repositories (e.g., apps markets),
and HostEagle is a light-weight mobile app which can help users to quickly
detect visually similar Android app upon download. We demonstrate the high
accuracy and efficiency of DroidEagle: Within 3 hours RepoEagle can detect 1298
visually similar apps from 99626 apps in a repository. In less than one second,
HostEagle can help an Android user to determine whether a downloaded mobile app
is a repackaged apps or a phishing malware. This is the first work which
provides both speed and scalability in discovering repackaged apps and phishing
malware in Android system.